Hi @ZacharyEchouafni ,
While I understand the policy to not include critical and high security dependency type vulnerabilities, it would help greatly if Atlassian would ship software not including these vulnerabilities.
As of today (2026-01-30) a fresh install of @forge/cli has: 15 vulnerabilities (7 low, 2 moderate, 6 high).
Also a fresh install of @atlassian/atlassian-connect-express has: 24 vulnerabilities (3 moderate, 19 high, 2 critical).
Additionally both contain outdated/unmaintained dependencies.
We need to use this software to build for Atlassian.
It went so far that one of our apps got flagged because of these vulnerabilities, and then we pointed out that this is due to an Atlassian dependency. Then the issue was dropped. We would much prefer to have secure dependencies.